#!/bin/bash
# I, Ian Kelling, follow the GNU license recommendations at
# https://www.gnu.org/licenses/license-recommendations.en.html. They
# recommend that small programs, < 300 lines, be licensed under the
# Apache License 2.0. This file contains or is part of one or more small
# programs. If a small program grows beyond 300 lines, I plan to switch
# its license to GPL.

# Copyright 2024 Ian Kelling

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at

#     http://www.apache.org/licenses/LICENSE-2.0

# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

set -eE -o pipefail

# Outputs the keyfiles to stdout as tar.gz

rm -f /tmp/vpn-mk-client-cert.log
exec 2>/tmp/vpn-mk-client-cert.log


if ! test "$BASH_VERSION"; then echo "error: shell is not bash" >&2; exit 1; fi
shopt -s inherit_errexit 2>/dev/null ||: # ignore fail in bash < 4.4
set -eE -o pipefail
trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?. PIPESTATUS: ${PIPESTATUS[*]}" >&2' ERR

date >&2
set -x

name=$1
common_name=$2

server_dir=/etc/openvpn
if [[ -e /etc/openvpn/server ]]; then
  server_dir=/etc/openvpn/server
fi

cafile=$server_dir/ca-$name.crt

### begin section roughly copied from vpn-server-setup
rsadir=/etc/openvpn/easy-rsa-$name
new=true # newer easy-rsa version
keyfiles=(
  $rsadir/pki/private/$common_name.key
  $rsadir/pki/issued/$common_name.crt
)
if [[ -e /etc/openvpn/easy-rsa-$name/build-ca ]]; then
  new=false
  keyfiles=(
    $rsadir/keys/$common_name.key
    $rsadir/keys/$common_name.crt
  )
fi
### end section roughly copied from vpn-server-setup

if [[ ! -e $cafile ]]; then
  echo error: no cafile found at $cafile >&2
  exit 1
fi

exists=true
for x in ${keyfiles[@]}; do
  if [[ ! -e $x ]]; then
    exists=false
    break
  fi
done


if ! $exists; then
  cd /etc/openvpn/easy-rsa-$name
  if $new; then
    ./easyrsa build-client-full $common_name nopass >/dev/null
  else
    source vars >/dev/null

    { echo -e '\n\n\n\n\n'$common_name'\n\n\n\n\n'; sleep 2; echo -e 'y\ny\n'; } | ./build-key $name >/dev/null
  fi
fi

d=$(mktemp -d)
cp $server_dir/ta-$name.key $cafile $d
for f in ${keyfiles[@]}; do
  cp $f $d/$name.${f##*.}
done

tar cz -C $d .
rm -rf $d